Java: add comments for reflection-related models

Jami Cogswell · Jami Cogswell · commit 62d64d5828f4 · 2023-03-23T18:00:21.000-04:00
diff --git a/java/ql/lib/ext/java.lang.model.yml b/java/ql/lib/ext/java.lang.model.yml
@@ -140,9 +140,9 @@ extensions:
       - ["java.lang", "Class", "forName", "(String)", "manual"]
       - ["java.lang", "Class", "getCanonicalName", "()", "manual"]
       - ["java.lang", "Class", "getClassLoader", "()", "manual"]
-      - ["java.lang", "Class", "getDeclaredConstructor", "(Class[])", "manual"]
-      - ["java.lang", "Class", "getDeclaredField", "(String)", "manual"]
-      - ["java.lang", "Class", "getMethod", "(String,Class[])", "manual"]
+      - ["java.lang", "Class", "getDeclaredConstructor", "(Class[])", "manual"]  # This model may be changed to a taint step for an unsafe reflection query in the future.
+      - ["java.lang", "Class", "getDeclaredField", "(String)", "manual"]         # This model may be changed to a taint step for an unsafe reflection query in the future.
+      - ["java.lang", "Class", "getMethod", "(String,Class[])", "manual"]        # This model may be changed to a taint step for an unsafe reflection query in the future.
       - ["java.lang", "Class", "getName", "()", "manual"]
       - ["java.lang", "Class", "getResource", "(String)", "manual"]
       - ["java.lang", "Class", "getResourceAsStream", "(String)", "manual"]
diff --git a/java/ql/lib/ext/java.lang.reflect.model.yml b/java/ql/lib/ext/java.lang.reflect.model.yml
@@ -3,6 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: neutralModel
     data:
+      # The below models may be changed to taint steps for an unsafe reflection query in the future.
       - ["java.lang.reflect", "Constructor", "newInstance", "(Object[])", "manual"]
       - ["java.lang.reflect", "Field", "get", "(Object)", "manual"]
       - ["java.lang.reflect", "Method", "getName", "()", "manual"]
